The REST API provides secure administrative tasks for managing and auditing permissions (aka Access Control List, or ACL). All of the REST APIs require a cryptographic signature and a timestamp that is reasonably close to NTP time.
timestamp is an HTTP query parameter following the Unix Time convention
(number of seconds elapsed since 00:00:00 January 1, 1970 UTC). The service will
reject any request containing a timestamp that is +/- 60 seconds from the
current time according to NTP. This strict requirement prevents certain kinds of
signature is an HTTP query parameter computed with the HMAC+SHA256
algorithm and encoded with URL-safe Base64. The message to be signed is composed
of all query parameters (with obvious exception of the signature itself) plus
the PubNub account subscribe and publish keys, and the REST resource. The
signing key is the PubNub account secret key. Full details for signature
computation are provided later.
Computing the Signature
<sign> is computed using HMAC+SHA256 with the user's secret key as the signing
key, and the request string as the message. The request string is composed of
the request query parameters concatenated to the subscribe key, publish key, and
audit) in the following format string:
Query string parameters must be sorted lexicographically (case-sensitive) by
key. Secondly, all characters in the query string parameters must be
percent-encoded except alphanumeric, hyphen, underscore, and period; E.g. all
characters matching the RegExp
/[^0-9a-zA-Z\-_\.]/. Space characters must be
+ character). Each key-value pair must be separated by
ampersand characters. Unicode characters must be broken up into UTF-8 encoded
bytes before percent-encoding.
Here is an example of a query string containing unicode characters:
And here is the same query string after sorting and percent-encoding:
Here is a full example message:
demo demo grant auth=jay&channel=jays_channel&r=1×tamp=123456789&ttl=1440&w=1
Let's imagine the demo account's secret key is:
The signature generated for this request is Base64 encoded using the "URL safe"
This signature is then percent-encoded according to standard query parameter
percent-encoding practices. E.g. the
= character is transformed into